ConsoleMe
GitHub
  • About
  • Architecture
  • Features
    • Credentials
      • AWS Console Login
      • AWS Credential Broker
    • Policy Management
      • Policies View
      • Policy Editor for IAM, SQS, SNS, and S3
      • Self-Service IAM Wizard
      • Policy Request - Review Page
      • Role Creation and Cloning
  • Demo
  • Quick Start
    • Docker
    • Local
  • Prerequisites
    • Required IAM Permissions
      • Central Account
      • Spoke Accounts
  • Configuration
    • Web App Authentication and Authorization
      • Local Development (Auth bypass)
      • ALB Auth (Recommended)
      • Retrieving Google Groups
      • OIDC/OAuth2
        • Cognito
        • Okta
      • SAML
      • Plain-Text Headers
    • Role Credential Authorization
      • Role Tags
        • Role Tagging Service Control Policy (Recommended)
      • Role Authorization through Dynamic Configuration
      • Custom Authorization (Internal Plugin)
    • Account Syncing
    • Metrics
    • Dynamic Configuration
    • AWS Resource Syncing
    • CLI Authentication
    • Sending email through SES
    • AWS Secret Manager Integration
    • CloudTrail Integration via AWS Event Bridge
    • Slack Notifications
  • Celery Tasks
    • Celery Flower
  • Development Guide
    • UI Components
    • Managing Dependencies
  • Deployment Strategies
  • Contributing
  • FAQ
  • License
  • Security
  • Weep CLI
    • Getting Started with Weep
    • AWS Credentials in the CLI using Weep and ConsoleMe
    • Configuration
    • Commands
      • List
      • Serve
      • Export
      • File
      • Credential Process
    • Assuming Roles
    • Advanced Configuration
      • Routing for Metadata Service
      • Shell Completion
Powered by GitBook
On this page

Was this helpful?

  1. Configuration
  2. Web App Authentication and Authorization

ALB Auth (Recommended)

PreviousLocal Development (Auth bypass)NextRetrieving Google Groups

Last updated 3 years ago

Was this helpful?

ConsoleMe can be configured behind an ALB with authentication enabled, and it can validate the JWT to retrieve the authenticated user and their groups. We have an example configuration .

The settings that must be defined for the ALB Auth flow to work are as follows:

auth:
  get_user_by_aws_alb_auth: true
  set_auth_cookie: true

get_user_by_aws_alb_auth_settings:
  jwt_email_key: sub
  jwt_groups_key: groups

Prerequisites:

  • A Route53 hosted zone that will contain your ConsoleMe domain

  • An EC2 target group with one or more ConsoleMe instances or containers

  • ConsoleMe (And Celery) should be running with the EC2_REGION environment variable set to the region your instance(s) are in. For example: EC2_REGION=us-west-2.

Steps:

  1. Create an Application Load Balancer in AWS with your desired settings.

  1. Create a Security Group to define which IP ranges or security groups can reach your ConsoleMe load balancer. In our case, ConsoleMe is public and we're opening it up to everyone.

  1. Create or use a target group for your ConsoleMe instances/containers. By default, ConsoleMe listens on HTTP port 8081, and returns healthcheck queries on the /healthcheck endpoint.

  1. Register targets (Or skip for now), and create your load balancer.

  2. In the EC2 console, modify your Port 80 listener (Load Balancers > (Select your newly created load balancer) > Listeners -> Port 80. Configure the default action to route traffic from port 80 to port 443.

  1. Modify your Port 443 listener. The first step should authenticate against Cognito, or your OIDC identity provider. The next step is to forward to your ConsoleMe target group. Here are a few examples:

  • Google (Scopes required: openid email )

  • Cognito (Scopes required: openid)

  • Okta (Scopes required: openid email groups)

  1. The rule after your Authenticate rule should forward to your ConsoleMe target group.

  1. Set up rules on your load balancer to exclude the following endpoints from ALB Authentication. These endpoints are used to perform CLI authentication and actions.

Note: Only 5 conditions are allowed per rule, so you'll need two rules to exclude the following domains from authentication, and a third default rule to perform the default authenticate/forward action.

  • /noauth/v1/challenge_poller/*

  • /noauth/v1/challenge_generator/*

  • /api/v1/get_roles*

  • /api/v2/mtls/roles/*

  • /api/v1/get_credentials*

  • /api/v1/myheaders/?

  • /api/v2/get_resource_url*

  1. Create a ConsoleMe configuration to support your ALB Authentication experience, and deploy ConsoleMe to your target group with this configuration. When a user authenticates, ConsoleMe will receive and decode two headers sent from the ALB. The first is "X-Amzn-Oidc-Data", which contains the user's identity and claims. The second includes an access token from the identity provider. ConsoleMe will attempt to decode the access token and retrieve the user's group memberships based on its configuration.

Create or use a TLS certificate for your domain (ACM is recommended for auto-renewal). Choose your based on your company's paranoia level.

ELB Security Policy
here